Out of Control: Overcoming Control-Flow Integrity

2014 IEEE Symposium on Security and Privacy Pub Date : 2014-05-18 DOI:10.1109/SP.2014.43

Enes Göktas, E. Athanasopoulos, H. Bos, G. Portokalidis

{"title":"Out of Control: Overcoming Control-Flow Integrity","authors":"Enes Göktas, E. Athanasopoulos, H. Bos, G. Portokalidis","doi":"10.1109/SP.2014.43","DOIUrl":null,"url":null,"abstract":"As existing defenses like ASLR, DEP, and stack cookies are not sufficient to stop determined attackers from exploiting our software, interest in Control Flow Integrity (CFI) is growing. In its ideal form, CFI prevents flows of control that were not intended by the original program, effectively putting a stop to exploitation based on return oriented programming (and many other attacks besides). Two main problems have prevented CFI from being deployed in practice. First, many CFI implementations require source code or debug information that is typically not available for commercial software. Second, in its ideal form, the technique is very expensive. It is for this reason that current research efforts focus on making CFI fast and practical. Specifically, much of the work on practical CFI is applicable to binaries, and improves performance by enforcing a looser notion of control flow integrity. In this paper, we examine the security implications of such looser notions of CFI: are they still able to prevent code reuse attacks, and if not, how hard is it to bypass its protection? Specifically, we show that with two new types of gadgets, return oriented programming is still possible. We assess the availability of our gadget sets, and demonstrate the practicality of these results with a practical exploit against Internet Explorer that bypasses modern CFI implementations.","PeriodicalId":196038,"journal":{"name":"2014 IEEE Symposium on Security and Privacy","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"401","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2014.43","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 401

Abstract

As existing defenses like ASLR, DEP, and stack cookies are not sufficient to stop determined attackers from exploiting our software, interest in Control Flow Integrity (CFI) is growing. In its ideal form, CFI prevents flows of control that were not intended by the original program, effectively putting a stop to exploitation based on return oriented programming (and many other attacks besides). Two main problems have prevented CFI from being deployed in practice. First, many CFI implementations require source code or debug information that is typically not available for commercial software. Second, in its ideal form, the technique is very expensive. It is for this reason that current research efforts focus on making CFI fast and practical. Specifically, much of the work on practical CFI is applicable to binaries, and improves performance by enforcing a looser notion of control flow integrity. In this paper, we examine the security implications of such looser notions of CFI: are they still able to prevent code reuse attacks, and if not, how hard is it to bypass its protection? Specifically, we show that with two new types of gadgets, return oriented programming is still possible. We assess the availability of our gadget sets, and demonstrate the practicality of these results with a practical exploit against Internet Explorer that bypasses modern CFI implementations.

查看原文本刊更多论文

失控:克服控制流完整性

由于现有的ASLR、DEP和堆栈cookie等防御措施不足以阻止恶意攻击者利用我们的软件，因此对控制流完整性(CFI)的兴趣正在增长。在其理想形式中，CFI可以防止原始程序不打算使用的控制流，从而有效地阻止基于面向返回的编程的利用(以及许多其他攻击)。两个主要问题阻碍了CFI在实践中的部署。首先，许多CFI实现需要通常不用于商业软件的源代码或调试信息。其次，在理想状态下，这项技术非常昂贵。正因为如此，目前的研究重点是使CFI快速实用。具体来说，实际CFI的大部分工作都适用于二进制文件，并通过实施更宽松的控制流完整性概念来提高性能。在本文中，我们研究了这种松散的CFI概念的安全含义:它们是否仍然能够防止代码重用攻击，如果不能，绕过它的保护有多难?具体来说，我们展示了两种新类型的小工具，面向返回的编程仍然是可能的。我们评估了我们的小工具集的可用性，并通过一个针对Internet Explorer的实用漏洞证明了这些结果的实用性，该漏洞绕过了现代CFI实现。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 IEEE Symposium on Security and Privacy

自引率

0.00%

发文量